Configuring System Integrity Protection without booting to Recovery HD
One interesting part of Apple’s developer documentation for System Integrity Protection (SIP) is the note shown below, indicating that it’s possible to configure SIP for environments that can’t access Recovery.
When I followed up with Apple about this, I was told that this meant I could configure it using NetBoot, using a NetBoot set that included the needed Recovery environment.
The example used was leveraging a new option in System Image Utility to create a package-only installation NetBoot set.
This new type of NetBoot set is is designed to install only scripts, configuration profiles and packages as opposed to installing an OS. For more details, see below the jump.
To test this, I wrote a script that uses csrutil netboot add to add two IP addresses to the NetBoot whitelist.
Once I had my script written, I built a package-only NetBoot set using System Image Utility and added the script to it.
Once completed, I booted a VM running OS X El Capitan from the NetBoot set to verify that the process works.
To demonstrate how the process looks, I’ve made a video showing the following process:
- Running csrutil status and csrutil netboot list to show that the Mac has SIP enabled, but no entries in the NetBoot whitelist.
- NetBooting the VM from the packages-only NetBoot set
- The NetBoot set running the script and rebooting
- Running csrutil status to show that the Mac has SIP enabled and now also has the two IP addresses added to the NetBoot whitelist.
Note: The video has been edited to artificially reduce the amount of time it took to NetBoot and restart.
Der Flounder 
Could this be included during install of El Cap? So if you were upgrading(or fresh re-image) from say 10.10 to 10.11, could you install the netboot whitelist script at the same time? Otherwise if you are already on 10.11 and need to use bless to target a netboot set, isn’t this already a moot point?
Hi Rich,
Apple did a lot of work on System Image Utility. You can now set it erase and auto run, install files, scripts, apps and profiles in a netinstall. Those features were there in the past but I never got them working.
The auto run OS install (net install ) is great, but it won’t erase an encrypted HD.
C
Is it possible to add /usr/sbin/fdesetup in /etc/sudoer? i tried that but it didn’t work. There could be possibilities i am doing something wrong. Your help would be great.
Rich, I used Apple Remote Desktop to tell a client to boot from a NetInstall server, and that worked as before SIP. (with the known issue that the ARD management mac must be in the same VLAN, with same NetInstall servers visible to make this work).
This is probably allowed because ARD is ‘trusted’ software (?! I am guessing here)
That may be easier than your script in SIU.